SafetyNet Attestation API provided by Google allows app developers to assess the Android device their app is running on. The API should be used as a part of your misuse detection system to help determine whether your servers are interacting with your genuine app running on a genuine Android device.
The mobile services have integrated with
SafetyNet Attestation API to assess the device's integrity. In order to create the attestation, the API examines the device's software and hardware environment, looking for integrity issues, and comparing it with the reference data for approved Android devices. The generated attestation token is bound to the nonce that the mobile services provide, and contains a generation timestamp and lifetime about the requesting app.
After Android attestation is enabled and correctly configured in the mobile services cockpit, the developer can add the
AttestationService instance to the
It will then handle the entire attestation process, including sending attestation request and adding attestation token in the
OKHttp request header.
AttestationService takes one optional argument in the constructor to set the duration between two attestation requests. If the duration is larger than attestation token lifetime or is not set, then will run attestation when the attestation token is missing or its lifetime expires.
val services = mutableListOf<MobileService>() services.add(AttestationService(Duration.ofDays(1))) SDKInitializer.start(this, * services.toTypedArray())
The mobile services cockpit provides chart to show attestation status of
OKHttp requests. The developer can look into the chart to check whether the app and device are treated as genuine by the mobile services. If the Android attestation is configured in
Enforced mode, failing to get attestation token will cause
OKHttp requests to back-end connections rejected.
Google sets that the default quota allotment (per project) for calling the
SafetyNet Attestation API is 10,000 requests per day across all app users. If the attestation requests exceed the quota, the mobile services cockpit will show the warning message. The developer needs to reduce the frequency of attestation request, or applies for more quota from Google.